Asterisk Manager Interface Remote Denial of Service Vulnerability

Release date:
Updated on: 2011-03-17

Affected Systems:
Asterisk 1.8.x
Asterisk 1.6.x
Unaffected system:
Asterisk 1.8.3.1
Asterisk 1.6.2.17.1
Asterisk 1.6.1.23
Description:
--------------------------------------------------------------------------------
Bugtraq id: 46897

Asterisk is a free and open-source software that enables the Telephone User Switch (PBX) function.

The Asterisk Manager Interface has a Denial-of-Service vulnerability. Remote attackers can exploit this vulnerability to cause the Asterisk to consume available CPU and memory resources, so that the affected applications do not respond and initiate a Denial-of-Service attack.

The Asterisk Manager Interface fails to properly handle write failures on the Manager Client. You can consume CPU and memory by sending invalid data and closing multiple connections in a short time.

<* Source: Blake Cornell

Link: http://downloads.asterisk.org/pub/security/AST-2011-003.html
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Asterisk
--------
Asterisk has released a Security Bulletin (AST-2011-003) and corresponding patches for this:

AST-2011-003: Resource exhaustion in Asterisk Manager Interface

Link: http://downloads.asterisk.org/pub/security/AST-2011-003.html